Microsoft offers advice to defend against “ice phishing” crypto scammers whose sole intention is to empty crypto wallets.
Just like ice fishing where you cut a hole in a frozen body of water to catch fish, ‘Ice Phishing’ is a clickjacking or a user interface redress attack, according to Microsoft. It tricks the users into signing a transaction that delegates approval of the user’s tokens to the attacker.
Recently scammers relied on malicious injected scripts to enable ice phishing to compromise the BadgerDAO web app where it managed to delegate the attackers to conduct transactions of nearly $120m attack on BadgerDAO
Christian Seifert, a security researcher at Microsoft in a blog post mentioned, “In an ‘ice phishing’ attack, the attacker merely needs to modify the sender address to the attacker’s address. This can be quite effective as the user interface doesn’t show all pertinent information that can indicate that the transaction has been tampered with.”
According to Seifer, the scammers managed to compromise Badger’s smart contract front-end infrastructure at Cloudflare to gain control over a Cloudflare API key. Allowing the injection of a malicious script into the Badger smart contract front end.
Seifert explained, “This script requested users to sign transactions granting ERC-20 approvals to the attacker’s account.”
ERC-20 is a standard for creating smart contracts on the Ethereum blockchain. These tokens implement an API for smart contracts which allow programmatic transactions. Allowing token owners to transfer tokens though they need to delegate authority to any smart contract that would transact on the owner’s behalf.
Almost 200 individuals ended up handing control of their tokens to the crypto scammers instead of a smart contract in the case of the BadgerDAO theft. This was done since the app interface failed to make it obvious that the “spender” account being authorized was controlled by the attacker.
Such forms of cybercrime are tuned for “web3,” which is to say decentralized finance and related blockchain jargon, according to Seifert.
The bad actors scan social media for people seeking support for wallet software and respond with spoofed support messages in a bid to convince victims to reveal private crypto wallet keys.
New tokens are distributed for free which causes transactions involving tokens to fail with an error message, this redirects the victims to a phishing site or malware installer. While impersonating legitimate smart contract front ends or wallet software nabs private keys directly.
You can call it web3, but in reality, it is just the same old web, code, and scammers which make it seem shiny and new.
Microsoft has provided a solution to mitigate cryptocurrency-focused attacks. It has created open-sourced and agent on Forta, a smart contract threat-detection platform. It takes care of the software that looks for suspicious token approvals – the precursor of ice phishing – and suspicious transfers, which can be helpful.
According to Seifert to protect themselves from threats like the BadgerDAO attack, users must “review the smart contract you are interacting with and review the code in your npm dependencies.” Though he also calls out a real problem with the entire web3 ecosystem, the lack of consumer protection.
He said, “[T]hese recommendations put a lot of burden on the users; we encourage web3 projects and wallet providers to increase usability to help users perform these actions.”
Canonical’s Snap Package Manager Has New Linux Privilege Escalation Flaw
VMware Security Patches for High-Severity Flaws Affecting Multiple Products
New Variant of UpdateAgent Malware Infects Mac Computers with Adware